b"October 11, 2000\nEvaluation Report No. 00-006\n\n\nFDIC\xe2\x80\x99s Information Handling\nPractices for Sensitive\nEmployee Data\n\x0cFederal Deposit Insurance Corporation                                        Congressional Relations and Evaluations\n801 17th Street NW Washington DC 20434                                                   Office of Inspector General\n\n\nDATE:                        October 11, 2000\n\nTO:                          Arleas Upton Kea\n                             Director\n                             Division of Administration\n\n\n\nFROM:                        Stephen M. Beard\n                             Assistant Inspector General\n\nSUBJECT:                     FDIC\xe2\x80\x99s Information Handling Practices for Sensitive\n                             Employee Data (EVAL-00-006)\n\n\nThe Office of Inspector General\xe2\x80\x99s (OIG) Office of Congressional Relations and Evaluations\n(OCRE) has completed a review evaluating how the Corporation safeguards or protects sensitive\nemployee data and records. This was the second in a series of reviews we plan to do on privacy-\nrelated issues.1 Although we worked with other divisions and offices, this report was addressed\nto you because we believed the Division of Administration (DOA) could most effectively\naddress our recommendations.\n\nAs you are aware, the need to protect personally identifiable information has never been greater.\nFor purposes of this review, we defined sensitive employee data to be personally identifiable\ninformation including an employee\xe2\x80\x99s name, address, Social Security number (SSN), or medical\ninformation. This definition was consistent with reports and articles written about privacy.\nThere was particular concern about the availability of SSNs because they often are the best\ngateway to obtain other personal information. The objectives of this review were to identify:\n\n\xe2\x80\xa2    various administrative documents and systems that include sensitive employee data and the\n     controls designed to protect that information, and\n\xe2\x80\xa2    relevant policies and practices for handling sensitive employee data.\n\nThe intent of our work was to identify specific issues related to protecting the confidentiality of\nemployee data that warrant management\xe2\x80\x99s attention or further review.\n\nWe found that the Corporation had policies and procedures designed to keep sensitive employee\ndata confidential. Despite these measures, employee data was potentially vulnerable to the\nextent that employees did not follow procedures and general information system controls were\n\n\n\n\n1\n In May 2000, OCRE issued a report entitled FDIC\xe2\x80\x99s Privacy and Security Notices \xe2\x80\x93 Requirements and Policy\nStatements on the Internet and Intranet (EVAL-00-004).\n\x0cnot fully implemented or operating as intended.2 For example, we were told and observed that\nthe Corporate Time and Attendance Worksheet (CTAW) was not always kept secure throughout\nthe time and attendance process. Each CTAW contained an employee\xe2\x80\x99s name and SSN. With\nthese two pieces of information, an identity thief could do damage. Specifically, SSNs were\nconsidered the key to large amounts of personal information, including tax information, credit\ninformation, school records, and medical records.\n\nWith respect to information systems containing employee data, officials described to us controls\ndesigned to limit access to and the authority to modify data in systems that include sensitive\nemployee data. However, the U.S. General Accounting Office (GAO) identified weaknesses in\nFDIC\xe2\x80\x99s information systems general controls and included this as a reportable condition in its\n1999 financial statement audit report.3 GAO stated that until the Corporation fully implements\nits information security program, it might be difficult to ensure that its information system\ncontrols are operating as intended. In response to GAO\xe2\x80\x99s report, the Corporation stated that it\nwill continue information system improvement efforts initiated in 1999 and will take additional\ncorrective actions to address the issues and recommendations reported by GAO. The scope of\nour work in this area was limited. Accordingly, we made no conclusions or recommendations\nwith respect to information systems.\n\nWe recommended that DOA periodically remind all employees about the need to routinely take\nprecautions to keep sensitive employee data confidential. In addition, specifically related to\nCTAW, we recommended that DOA reevaluate our suggestion to mask or partially mask the\nemployee\xe2\x80\x99s SSN on CTAW as an interim measure until CTAW is replaced. We believed it was\nimportant for DOA to reevaluate our suggestion if time and attendance software being\nconsidered during our review proved not to be viable option or was not implemented for an\nextended period of time.\n\nWhy is it important to keep sensitive employee data confidential?\n\nThe unnecessary disclosure of an individual\xe2\x80\x99s SSN creates the risk of confidential information\nbeing disclosed to any person or institution in possession of the individual\xe2\x80\x99s SSN.\n\nElectronic Privacy Information Center Document\n\n\nThere has been increased concern over how personally identifiable data has been collected, used,\nand shared in both the government and private sectors. In general, privacy concerns have been\ndefined to include the acquisition, use, and disclosure of personal information. Personal\ninformation that is ineffectively safeguarded could result in such information being used\nimproperly, unfairly, or for purposes other than those intended by an individual. More\nspecifically, identity theft occurs when someone obtains personal information about an\nindividual without their knowledge to commit fraud or theft.\n\n\n2\n   Information system general controls include corporate-wide security program planning and management, access\ncontrols, system software, application software development and change controls, segregation of duties, and service\ncontinuity controls.\n3\n  Financial Audit: Federal Deposit Insurance Corporation\xe2\x80\x99s 1999 and 1998 Financial Statements\n(GAO/AIMD-00-157), GAO report dated May 2000.\n\n                                                         2\n\x0cCongress enacted the Identity Theft and Assumption Deterrence Act of 1998 to provide citizens\nsome recourse in resolving instances where their SSN has been misused. The Act sets forth\ncriminal penalties for any person who knowingly transfers or uses, without lawful authority, the\nmeans of identification of another person with the intent to commit, or to aid or abet, any\nunlawful activity that constitutes a violation of federal law or constitutes a felony under any state\nor local law. The phrase \xe2\x80\x9cmeans of identification\xe2\x80\x9d is defined to include any name or number that\nmay be used, alone or in conjunction with any other information, to identify a specific individual.\nThe definition includes the following examples, among others, name, SSN, and date of birth.\n\nIn August 1999, the Social Security Administration OIG reported the expanded use of the SSN\nas a national identifier has given rise to individuals using counterfeit SSNs and SSNs belonging\nto others for illegal purposes.4 More specifically, the Social Security Administration OIG\nreported that a large portion (35 percent) of all allegations made to its hotline were related to\nSSN misuse. Of the SSN misuse allegations it reviewed, 81.5 percent related to identity theft.\nIdentity theft victims have had their credit histories destroyed by individuals who steal and use\ntheir SSN to obtain credit. Moreover, these victims have found that resolving credit problems\nresulting from identity theft can be time-consuming and frustrating. In fact, GAO has reported\nthat the \xe2\x80\x9chuman\xe2\x80\x9d costs of identity fraud can be very high.5 These costs included emotional costs,\nas well as, various financial or opportunity costs. For example, victims might have been unable\nto obtain a job, purchase a car, or qualify for a mortgage.\n\nTo deter identity theft, individuals have been advised by experts to not unnecessarily disclose\ntheir SSN, not because disclosure in itself would be harmful, but because that information could\nbe used to gain access to other information such as individual banking records or credit card\nnumbers. For example, information brokers amass vast amounts of personal information,\nincluding SSNs, about members of the public for resale. When possible, information brokers\nretrieve data by SSN because it is more likely to produce records more unique to the individual\nthan other identifiers. Furthermore, published reports and articles indicated that one illicit source\nof data in many cases was the workplace.\n\nIndeed, privacy advocates have warned that privacy issues should not be ignored in the\nworkplace. Accordingly, these advocates stated that organizations need to be extremely cautious\nabout collecting, using, and disclosing SSNs of customers and employees. If lists of employee\nnames and SSN were available within an organization, employees could be bribed or corrupted\nto sell them or can misuse the information themselves. Because this information is often\nsensitive, it should be kept confidential. At FDIC, there have been reported incidents where\nFDIC employees have intentionally misused information entrusted to them. In fact, the OIG\xe2\x80\x99s\nOffice of Investigations was reviewing one such case during our review. Consequently, as an\nemployer, FDIC needs to remain ever vigilant to minimize such opportunities for a dishonest\nemployee.\n\nIn 1996, an internal task force studied how FDIC monitored, managed, and controlled sensitive\ndocumentary information throughout the Corporation. This confidentiality task force focused its\n\n4\n  Analysis of Social Security Number Misuse Allegations Made to the Social Security Administration\xe2\x80\x99s Fraud\nHotline (A-15-99-92019), Social Security Administration OIG report dated August 1999.\n5\n  Identity Fraud: Information on Prevalence, Cost, and Internet Impact is Limited (GAO/GGD-98-100BR), GAO\nreport dated May 1998.\n\n                                                     3\n\x0creview on sensitive business documents. The task force concluded at that time that FDIC did not\nhave a widespread problem with breaches of confidentiality. The task force further concluded\nthat the efforts to promote a confidentiality culture should be reinforced and reemphasized over\ntime at the corporate level.\n\nWhat did our work involve?\n\nOur review objectives were to identify:\n\n\xe2\x80\xa2   various administrative documents and systems that include sensitive employee data and the\n    controls designed to protect that information, and\n\xe2\x80\xa2   relevant policies and practices for handling sensitive employee information.\n\nAs we stated above, for the purpose of this review, we defined \xe2\x80\x9csensitive employee data\xe2\x80\x9d\nto include an employee\xe2\x80\x99s name, SSN, address, and health information. The scope of our\nreview was broadly defined to include those divisions and offices in headquarters that we\ndetermined would routinely handle sensitive employee records or data. We primarily\nfocused on offices within DOA. Specifically, we interviewed officials in the Personnel\nServices Branch (PSB), Training and Consulting Services Branch, and Acquisition and\nCorporate Services Branch.\n\nWe also met with officials from Division of Finance (DOF), Division of Information\nResources Management (DIRM), Office of Ombudsman (OO), Office of Diversity and\nEconomic Opportunity (ODEO), and Office of the Executive Secretary (OES), all of\nwhom handle sensitive employee data. Moreover, we met with officials from our Office\nof Management and Policy. Finally, we interviewed administrative management officials\nin the Division of Supervision and Division of Resolutions and Receiverships to get their\nviews and discuss their practices.\n\nIn general, we discussed the following:\n\n\xe2\x80\xa2   the type of employee data maintained in the division or office \xe2\x80\x93 both manual records\n    and data within systems,\n\xe2\x80\xa2   physical safeguards for records or files with sensitive employee data,\n\xe2\x80\xa2   access controls for the systems with sensitive employee data,\n\xe2\x80\xa2   procedures or practices for safeguarding employee data,\n\xe2\x80\xa2   protections in place for employee data shared or maintained by contractors and third-\n    party benefit providers, and\n\xe2\x80\xa2   their views about the vulnerability of sensitive employee data to unauthorized access\n    and misuse.\n\nWe also reviewed:\n\n\xe2\x80\xa2   relevant policies and procedures and applicable laws and regulations,\n\xe2\x80\xa2   various background articles and reports about privacy and identity theft, and\n\xe2\x80\xa2   internal memoranda and the final report issued in 1996 by an FDIC internal confidentiality\n    task force.\n\n                                                4\n\x0cWe decided not to test compliance with policies and procedures or controls. Our decision was\nbased on the results of our discussions with management, other work completed by the OIG and\nGAO, and relevant corporate initiatives planned or underway that reflected the Corporation\xe2\x80\x99s\ndesire to ensure employee data was kept confidential.6 Had we performed detailed testing, other\nmatters may have come to our attention.\n\nFinally, as stated above, the scope of our work with respect to information systems was limited\nto discussions with officials about systems containing sensitive data and did not include testing\nof general controls designed to safeguard those systems from unauthorized access or data\nmanipulation. As part of our work, we reviewed GAO\xe2\x80\x99s Financial Audit: Federal Deposit\nInsurance Corporation\xe2\x80\x99s 1999 and 1998 Financial Statements (GAO/AIMD-00-157, May 2000)\nand GAO\xe2\x80\x99s management letter issued to the Chairman about weaknesses identified in FDIC\xe2\x80\x99s\ninformation system controls.\n\nOur review was conducted in headquarters from April to August 2000 according to the\nPresident\xe2\x80\x99s Council on Integrity and Efficiency\xe2\x80\x99s Quality Standards for Inspections.\n\nWhere is sensitive employee data?\n\nIn the course of conducting business, the Corporation creates and receives information of a\nconfidential or sensitive nature. This includes, among other things, sensitive employee data. As\nwith any organization, sensitive employee data is needed in many instances for administrative\npurposes. Specifically, FDIC uses employee SSN as an employee identification number. As\ndiscussed later, FDIC plans to use a different employee identification number when the\nCorporate Human Resource Information System (CHRIS) is implemented.\n\nAt the time of our review, because SSN was used as an employee identification number,\nsupervisors, administrative officers, and timekeepers within divisions and offices were privy to\nconfidential employee information in meeting their responsibilities when handling training\nrequests, performance evaluations, personnel actions, and the like. In addition, employees might\nkeep copies of administrative forms or personnel actions about themselves at their desks.\nEmployee data is routinely maintained or processed in certain divisions such as DOA and DOF.\nMoreover, the health and fitness centers have sensitive medical data. ODEO and OO have other\ntypes of information that is considered sensitive to employees. Finally, third-party benefit\nproviders and contractors might maintain or access sensitive employee data.\n\n\n\n\n6\n  FDIC OIG\xe2\x80\x99s Office of Audit has also initiated a survey Independent Security Review of FDIC\xe2\x80\x99s Mainframe and\nRelated Procedures (Audit Project 2000-919). The objectives of that project are to assess the information system\nsecurity controls over the mainframe using DIRM\xe2\x80\x99s independent security review procedures and to evaluate DIRM\xe2\x80\x99s\nindependent security program to identify process improvement opportunities.\n\n                                                       5\n\x0cHow is sensitive employee data handled at FDIC?\n\nMost FDIC employees recognize and safeguard confidential information that has been\nentrusted to them.\n\n1996 Confidentiality Task Force Conclusion\n\n\nCorporate and division policies had been issued which set forth procedures, and employees have\ndeveloped common practices, which when followed, establish an environment where sensitive\ndata should be safeguarded. Appendix III highlights excerpts from FDIC internal guidance that\naddresses the need to keep employee data confidential. Some divisions and offices have\ndeveloped written procedures to provide additional guidance on this matter. In addition, FDIC\nwas taking action to ensure information system general controls were operating as intended.\n\nAt a corporate level, personnel or employee records are considered confidential and, as such,\nshould only be disclosed to those individuals who have a need to know the information for\npurposes of conducting business. The Corporation and all its employees are obligated to protect\nconfidential information. The Privacy Act of 1974 provides the overall framework for collecting\nand maintaining personal information about individuals. In addition, FDIC has rules that limit\nthe disclosure of confidential information under the Freedom of Information Act.\n\nMore specifically, FDIC Circular 1031.1, The Privacy Act of 1974: Employee Rights and\nResponsibilities, provides guidance to employees about the rights and responsibilities imposed\nby the Privacy Act. This circular:\n\n\xe2\x80\xa2   establishes the Corporation's responsibilities for collecting and maintaining information, and\n\xe2\x80\xa2   recognizes that each employee will come into direct contact with information about other\n    individuals, and that it is essential that each employee be familiar with the provisions of the\n    Privacy Act.\n\nThe circular requires the Corporation to establish reasonable administrative, technical, and\nphysical safeguards to assure the records are disclosed only to those who are authorized to have\naccess. Each employee has responsibilities for preventing disclosure of information on\nindividuals contained in Corporate systems of records unless consent for disclosure has been\ngiven. Additionally, employees are to ensure that official files retrievable by name or other\nidentifier must be included in the Corporation's systems of records.\n\nFDIC\xe2\x80\x99s procedures and practices are designed to prevent unauthorized disclosure or access to\nrecords or systems to individuals without a business need to know. Some of the general\nprocedures and practices described to us included:\n\n\xe2\x80\xa2   Confining offices and divisions that handle or process significant employee data and records\n    to limited access floors. Examples include PSB, Security Management Section, ODEO, and\n    OIG.\n\n\n\n\n                                                 6\n\x0c\xe2\x80\xa2   Keeping official personnel folders in PSB and the OIG\xe2\x80\x99s Human Resources Branch in locked\n    file rooms and monitoring access to those files in accordance with U.S. Office of Personnel\n    Management requirements.\n\xe2\x80\xa2   Keeping unofficial personnel files maintained by administrative officers in locked file rooms\n    or file cabinets.\n\xe2\x80\xa2   Using sensitive document covers and folders. The purpose of these document covers or\n    folders is to inform persons handling the documents that the documents are sensitive or\n    confidential in nature and should only be shared with FDIC staff or authorized contractors\n    who require the information to perform their duties. Moreover, these covers serve as a\n    reminder that the documents need to be secured in accordance with appropriate guidance.\n\xe2\x80\xa2   Providing training to officials that routinely handle sensitive employee data and records\n    about their responsibilities. DOA officials and the OIG\xe2\x80\x99s Human Resources Branch officials\n    also told us that they were trained to safeguard personnel records. Likewise, OO, ODEO,\n    and OES officials told us that they were trained to handle confidential information \xe2\x80\x93\n    including personally identifiable employee data \xe2\x80\x93 with great care. Administrative officers\n    that we met within division and offices were aware of the need to keep unofficial personnel\n    records and other administrative files that contain sensitive employee data in a secure\n    environment.\n\xe2\x80\xa2   Sending reminders periodically to personnel who routinely handle sensitive information\n    about their responsibilities to safeguard that information. For example, in February 2000,\n    PSB issued a memorandum addressing this issue.\n\xe2\x80\xa2   Implementing clean desk policies in some offices to help ensure that sensitive information is\n    not inadvertently left unattended.\n\xe2\x80\xa2   Evaluating safeguards over sensitive data as part of the annual Internal Control Assessment\n    Process.\n\xe2\x80\xa2   Establishing a corporate-wide suitability program to help ensure that FDIC only employs\n    persons who meet all Federal requirements for suitability, including character, reputation,\n    honesty, integrity, and trustworthiness, and whose employment or conduct will not\n    jeopardize the accomplishment of the Corporation\xe2\x80\x99s duties or responsibilities.\n\nSome offices had memorialized their policies and practices in writing. In response to our\nquestion, five of the offices we contacted provided us with copies of written policies addressing\nthe need to protect employee data--DOA, OO, DIRM, DOF, and OIG.\n\nThe Corporation had also designed safeguards to help ensure that employee data needed by\ncontractors or third-party benefit providers was kept confidential. Specifically, the Corporation\nincorporated data confidentiality clauses in FDIC contracts which provided that any data a\ncorporate contractor comes into contact with will not be subject to disclosure to any other parties\nexcept for any legal or regulatory requirements. However, we found that FDIC did not have a\nconfidentiality agreement in place either through the policy agreement or contracting vehicle\nwith CIGNA Corporation. CIGNA Corporation provides FDIC employees with dental\ninsurance. As a result of our review, however, FDIC was working with CIGNA Corporation to\nget an agreement in place to ensure that enrollment and claim information provided to CIGNA\nCorporation by FDIC employees is safeguarded.\n\nAlthough physical security is important, protecting hardcopies of corporate information in locked\nfile cabinets and locked offices is no longer sufficient security when most of the original data is\n\n                                                 7\n\x0con-line and accessible from at least one computer system. As we previously mentioned, in its\n1999 financial audit report, GAO reported general control weaknesses over information systems.\nThe Corporation has stated that it will continue information system improvement efforts and will\ntake corrective actions to address the issues and recommendations reported by GAO.\n\nIn addition, officials we interviewed were aware of the need to limit access to systems containing\nsensitive employee data to those individuals with a business need to know. For example, PSB\xe2\x80\x99s\nAssistant Director, Information Systems and Services Section, described the following controls\napplicable to the personnel systems:\n\n\xe2\x80\xa2   All of the systems required Login ID and were password protected.\n\xe2\x80\xa2   There were also levels of authority granted to authorized users \xe2\x80\x93 some users were granted\n    read only access or could only update certain fields or data elements.\n\xe2\x80\xa2   Systems only appeared on the desktops of authorized users.\n\nThe Assistant Director, Information Systems and Services Section, also told us that access\ncontrols over all personnel systems had improved as a result of corrective actions taken in\nresponse to a 1999 OIG audit.7 Specifically, OIG reported that FDIC needed additional\nprocedures, processes, and controls to more fully protect personnel database files from\nunauthorized browsing and intentional or inadvertent unauthorized changes. In response to that\nreport, for each of its systems, PSB completed a \xe2\x80\x9cscrub\xe2\x80\x9d of all authorized users and reviews and\nbegan updating the list of authorized users on a quarterly basis. A more recent OIG review also\nresulted in improved physical safeguards over confidential information collected and generated\nduring the application process.8\n\nWhere is employee data potentially at risk to unauthorized disclosure or use?\n\nThe risk of identity theft can be minimized by managing personal information wisely,\ncautiously, and with heightened sensitivity.\n\nFederal Trade Commission Booklet \xe2\x80\x93 ID Theft: When Bad Things Happen to Your Good Name\n\n\nDespite the procedures and practices designed to safeguard the employee data, sensitive data was\npotentially vulnerable to the extent that employees did not follow procedures and general\ninformation system controls were not fully implemented or operating as intended. Moreover, as\nmentioned in one article, ultimately, it is people who protect information, not policies. For that\nreason, people must understand policies and take responsibility for implementing them. To\nstrengthen information handling practices, privacy advocates recommended (1) raising employee\nawareness about their responsibilities and the importance of securing sensitive information and\n(2) minimizing the use of the SSN on any documents widely seen by others. At FDIC, this\nincluded CTAWs.\n\n\n\n\n7\n Audit of Personnel Action Processing Controls and Security (Audit Report No. 99-028), dated July 29, 1999.\n8\n Internal Controls Over Confidential Information Collected and Generated During the Application Process\n(Evaluation Report No. 00-003), dated March 24, 2000.\n\n                                                       8\n\x0cOfficials we met with acknowledged that individuals might be careless, at times, in handling\nforms, reports, or records that contain sensitive employee data. Our discussions with officials\nindicated that this inadvertent carelessness could be attributed to two factors: (1) the use of\nemployees\xe2\x80\x99 names and SSNs for administrative purposes and (2) the lack of awareness about the\nreported incidents of information being mishandled at FDIC. In short, employees might not\nalways think about how often they provide this information or handle documents of this nature.\n\nFor example, an employee might have copies of personnel action forms, time and attendance\nreports, or benefit forms in a file drawer or on their desk, but leave the office and file drawer\nunlocked. Likewise, an employee might complete a training authorization form and place it in\nthe training coordinator\xe2\x80\x99s mailbox without putting the form in an envelope. In both cases,\nsensitive employee data is at risk and steps could easily be taken to limit access to that\ninformation. Employees might not always properly dispose of documents with sensitive data.\nPolicies and common sense dictate that these type of documents be shredded. Privacy advocates\nrecommend that employees be reminded about their responsibilities to safeguard documents with\nsensitive information. Consequently, employees need to understand the importance of securing\nthis type of information whether it is sensitive information about themselves or fellow\nemployees.\n\nIn response to recent indictments of government employees, including an FDIC employee, the\nOES issued a global Email on August 17, 2000, that was designed to raise awareness about what\ninformation is considered to be sensitive and confidential in order to prevent the inadvertent\ndisclosure of such information. OES also posted questions and answers about the confidentiality\nof records on its web page on the FDICnet. This page also has links to related Email messages\non identity theft and privacy of electronic communication. Specifically, on June 14, 2000, DCA\nissued an Email that provided information about identity theft. This Email provided employees\nan opportunity to learn how to minimize the risk of being a victim of identity theft. DOA\xe2\x80\x99s\nSecurity Management Section also periodically sends security reminder Emails to all employees.\n\nWhen asked about where employee data was vulnerable, officials we interviewed consistently\nresponded CTAW. Employee name and SSN are included on CTAW to ensure record accuracy\nand for identification purposes. Officials were concerned because they had observed in many\ninstances that these forms are unwittingly left unattended in either in-boxes or on the desks of\nemployees, supervisors, or timekeepers. Consequently, officials believed that these forms\npotentially could be seen by others who otherwise should not have access to this information.\n\nPrivacy advocates have suggested that the use of SSNs for record keeping purposes and personal\nidentifiers be strongly discouraged. Moreover, when SSNs are used, organizations should have\nstrict policies prohibiting the display of SSNs on documents that are widely seen by others \xe2\x80\x93 one\nexample being time cards. During our review, FDIC used the employee\xe2\x80\x99s SSN as the employee\nidentification number, but planned to use an alternative number when CHRIS was fully\nimplemented.\n\nWith respect to other forms, DOA\xe2\x80\x99s Directives and Forms Management Group, the Legal\nDivision, and OES routinely work together to help ensure that such things as employee name,\nSSN, or other information are only collected when there is a legitimate need to do so. This is\n\n\n\n                                                9\n\x0cdone as part of FDIC\xe2\x80\x99s responsibilities under the Privacy Act. 9 Specifically, OES and Legal\nDivision officials review forms to ensure the proper Privacy Act notice is included on forms that\ndo collect sensitive employee data.\n\nSome offices had implemented measures to protect CTAWs during processing. For example, in\none office, we were told that CTAWs were kept in file folders as they were routed through the\nsupervisor and timekeepers. Other offices established a clean desk policy to help ensure that\ndocuments were not inadvertently left unattended. DOF was piloting the use of locked in-boxes\nin headquarters to help ensure that employees\xe2\x80\x99 CTAWs were kept secure until processing began.\n\nThe scope of our work did not include evaluating the specific handling practices of CTAWs in\neach office. However, in light of concerns raised, we discussed with officials in PSB and DIRM\nthe possibility of reprogramming CTAW to partially or fully mask employees\xe2\x80\x99 SSNs when the\nform is printed. We were told that this could be done technically, but PSB would need to study\nthe impact it would have on timekeepers who may rely on the SSN printed on the CTAW to\ninput data into the Biweekly Time and Attendance system. Officials were also concerned about\nthe costs to reprogram CTAW. In addition, we were told that PSB was currently evaluating a\nnew time and attendance software package that would improve the time and attendance process\nand eliminate the paper-based CTAW. Thus, PSB preferred to wait until it had completed its\nassessment of the new software before considering interim measures that might not prove to be\ncost beneficial.\n\nWhat more can FDIC do?\n\nAside from existing policies and practices, we recognized that several Corporate initiatives\nplanned or underway were aimed at reducing the routine use of sensitive employee data and\nincreasing employee awareness about the importance of safeguarding sensitive data about\nthemselves or fellow employees. Specifically, as we have mentioned, the Corporation:\n\n\xe2\x80\xa2   was working with CIGNA Corporation to establish a confidentiality agreement,\n\xe2\x80\xa2   had completed a review of forms to ensure that Privacy Act notices are placed where\n    required,\n\xe2\x80\xa2   was working to improve information system general controls,\n\xe2\x80\xa2   was planning to create new employee identification numbers with the implementation of\n    CHRIS,\n\xe2\x80\xa2   was evaluating options for replacing CTAW in the near term, and\n\xe2\x80\xa2   had issued global Emails about identify theft and employee responsibilities with respect to\n    disclosure of confidential information.\n\nIn addition, the Assistant Director, Security Management Section, told us that a new working\ngroup would be formed that would focus on document security at FDIC. We discussed the goal\nof the working group and the results of our work and the findings of the 1996 confidentiality task\nforce. We offered to participate in that task force in any way deemed appropriate.\n\n9\n  The Privacy Act requires that agencies provide Privacy Act notices to inform individuals of the authority for the\nsolicitation of information, whether disclosure of the information is mandatory or voluntary, the principle purposes\nfor which the information will be used, the routine uses to be made of the information, and the effects, if any, of not\nsupplying all or part of the information.\n\n                                                          10\n\x0cNevertheless, we believed routine reminders were the key to maintaining employee awareness\nabout the importance of this issue. Moreover, this measure was consistent with the\nconfidentiality task force recommendation that a confidentiality culture should be reinforced and\nreemphasized over time at the Corporate level. DOA representatives agreed. To that end, we\nrecommended the Director, DOA, have the Assistant Director, Security Management Section:\n\n1. Send periodic reminders to all Corporate employees about the importance of keeping\n   sensitive data safeguarded during everyday operations and in personal records. We\n   suggested this message remind employees about the need to:\n\n\xe2\x80\xa2   secure their personal files that may contain sensitive data in their own workspace,\n\xe2\x80\xa2   follow existing policies and practices with respect to security and disclosure of confidential\n    information, and\n\xe2\x80\xa2   properly dispose of confidential information in accordance with relevant guidance.\n\nIn addition, to ensure that concerns raised about CTAW were addressed until more permanent\nmeasures were implemented, we recommended the Director, DOA:\n\n2. Reevaluate our suggestion to fully or partially mask SSNs on CTAW if the time and\n   attendance software package being considered proved not to be a viable option for the\n   Corporation or was not implemented for an extended period of time.\n\nPSB\xe2\x80\x99s Assistant Director, Information Systems and Services Section, agreed that this option\nshould be reevaluated. We also suggested that the Director, DOA, consider raising this issue\nwith the Privacy Advisory Group once it was formally established. A discussion in that forum\nmay generate other options that we might not have considered.\n\nCorporation Response and OIG Evaluation\n\nWe received a written response from the Director, DOA, dated October 10, 2000, addressing our\nrecommendations. Overall, DOA management officials agreed with our recommendations. The\nresponse provided the requisite elements of a management decision for each of the\nrecommendations. The written response is included in its entirety in Appendix I. Appendix II\npresents our assessment of the response to the recommendations and shows that we have a\nmanagement decision for each of the recommendations.\n\nIn closing, given the rising concerns about privacy, my office remains committed to monitoring\nthe impact of privacy-related issues on the Corporation. Please let me know if you are interested\nin having my office do additional work to more fully address any of the issues discussed in this\nreport, or look into any other privacy concerns you may identify. We appreciate the assistance\nyour staff provided us during our review. If you would like to further discuss the results of our\nreview, please call me at (202) 416-4217.\n\nAttachments\n\n\n\n\n                                                 11\n\x0c                       Appendix I\n\nCorporation Comments\n\n\n\n\n         12\n\x0c                       Appendix I\n\nCorporation Comments\n\n\n\n\n         13\n\x0c                                                                                                                                 Appendix II\n\n                                              Management Response to Recommendations\n\n\nThis table presents management responses to recommendations in our report and the status of management decisions. Management's\nwritten response to our report provided the information for management decisions.\n\n\n                                                                                   Documentation That\n  Rec.                                                            Expected         Will Confirm Final        Monetary    Management Decision:\n Number          Corrective Action: Taken or Planned          Completion Date             Action              Benefits        Yes or No\n   1       DOA\xe2\x80\x99s Security Management Section will remind      December 10, 2000   Global E-Mail             No           Yes\n           all employees of the need to keep\n           senistive/confidential documents safeguarded\n           during everyday operations via a global e-mail.\n    2      DOA, PSB will reevaluate OIG\xe2\x80\x99s suggestion to       October 31, 2000    Memorandum                No           Yes\n           mask the social security number on the Corporate                       Reporting on Results of\n           Time and Attendance Worksheet.                                         Evaluation\n\n\n\n\n                                                                       14\n\x0c                                                                                                                                       Appendix III\n\n                                 FDIC Internal Guidance Regarding the Handling of Sensitive Employee Data\n\n\nThis table highlights excerpts from FDIC internal guidance that addresses the need to keep employee data confidential.\n\n          Reference                                                             Relevant Highlights\n   The Privacy Act of 1974:      \xe2\x80\xa2   Privacy Act provides rights to and imposes responsibilities on each FDIC employee. Because of wide-ranging\n    Employee Rights and              impact it is essential that each employee be familiar with its provisions.\n       Responsibilities          \xe2\x80\xa2   Corporation is responsible for maintaining in its systems of records only such information necessary and\n       Circular 1031.1               relevant to a function that the Corporation is required to perform. The Corporation is also responsible for\n       Dated 03/29/89                establishing reasonable administrative, technical, and physical safeguards to assure that records are disclosed\n                                     only to those who are authorized to have access.\n                                 \xe2\x80\xa2   Each employee is responsible for ensuring that no record contained within a system of records is disclosed to\n                                     any person or to any agency outside the Corporation without prior written consent of the individual who is\n                                     subject to the record. There are exceptions to disclosure rules \xe2\x80\x93 disclosures may be made to Corporation\n                                     employees who have a \xe2\x80\x9cneed to know\xe2\x80\x9d the information in the performance of their duties \xe2\x80\x93 under one of the\n                                     routine uses published by the Corporation for a particular system of record.\n                                 \xe2\x80\xa2   Privacy Act allows each individual to have access to records kept about him or her. This is especially\n                                     important because the majority of the Corporation\xe2\x80\x99s systems of records are about Corporation employees.\n Official Records and Personal   \xe2\x80\xa2   Purpose is to provide policy, procedures, and guidelines applicable to the handling of official records and\n            Papers                   personal papers by Corporation officials and employees.\n       Circular 1210.11          \xe2\x80\xa2   Personal use of Extra Copies of Official Corporation Records -- retention of extra copies must not \xe2\x80\x9cViolate\n        Dated 09/22/87               confidentiality required by national security, privacy or other interests protected by law.\xe2\x80\x9d\n                                 \xe2\x80\xa2   Officials and employees must not remove official records from the files. This material is in their custody for\n                                     official purposes only.\n  FDIC Records Management        \xe2\x80\xa2   To establish policies and procedures governing FDIC\xe2\x80\x99s records management program\n          Program                \xe2\x80\xa2   Exempt records as defined in 12 C.F.R Part 309 (and FDIC Rule \xc2\xa7309.5 to include personnel, medical and\n      Circular 1210.18               similar files) shall be maintained as confidential by all present and former employees and may not be released\n       Dated 05/28/97                outside the FDIC without written authorization as provided in Part 309.\n                                 \xe2\x80\xa2   FDIC employees shall ensure that their files are complete and accessible only to authorized individuals by\n                                     implementing their division or office guidelines for securing confidential information.\n\n\n\n\n                                                                         15\n\x0c                                                                                                                                    Appendix III\n\n                           FDIC Internal Guidance Regarding the Handling of Sensitive Employee Data\n\n\nFDIC Forms Management      \xe2\x80\xa2   Document Management Section is responsible for ensuring that all FDIC forms subject to a Congressional act\n       Program                 or a management information requirement (e.g., Paperwork Reduction Act, Privacy Act of 1974, etc.) are\n    Circular 1213.1            coordinated and approved by the proper authority.\n       10/20/94            \xe2\x80\xa2   OES controls research and provision of Privacy Act Statements on those forms which request information on\n                               an individual and are maintained and retrieved using a personal identifier (i.e., Social Security number).\n    Data Stewardship       \xe2\x80\xa2   To promote reliable information and to ensure data availability to clients, as needed, throughout the\n    Circular 1301.3            Corporation.\n        05/11/95           \xe2\x80\xa2   Data sensitivity establishes the basis for how data will be protected from unauthorized disclosure or alteration,\n                               or loss of use.\n                           \xe2\x80\xa2   Data stewards serves as the source of information for data definition and protection.\n                           \xe2\x80\xa2   Data stewards will define rules, which designate who can create, update, delete, and retrieve data.\n                           \xe2\x80\xa2   Data stewards will work with DIRM Data Administrative Unit and Security Administration Section to identify\n                               data sensitivity levels.\n Information Technology    \xe2\x80\xa2   Establishes a program that identifies the Corporation\xe2\x80\x99s general support systems and major applications.\nSecurity Risk Management   \xe2\x80\xa2   Establishes a framework for determining security risks and control requirements, and provides for their\n         Program               independent review and management authorization.\n     Circular 1310.3       \xe2\x80\xa2   The Corporation has a responsibility to assess the capabilities of these general support systems and major\n     Dated 11/24/97            applications to protect the confidentiality, integrity, and the availability of sensitive data they process.\n                           \xe2\x80\xa2   Sensitivity categories will provide security commensurate with the applications perceived risk, thus ensuring\n                               that required security measures will be practical and cost-effective.\n                           \xe2\x80\xa2   Vulnerabilities are the ways in which an application or system may fail or be attacked. They include \xe2\x80\x93\n                               unauthorized access to sensitive data or information.\n                           \xe2\x80\xa2   The Directive defines the roles and responsibilities for implementing the corporate-wide Risk Management\n                               Program.\n   Internet Access and     \xe2\x80\xa2   Establish policies, guidelines, and responsibilities for access to and acceptable uses of the Internet at the FDIC.\n     Acceptable Uses       \xe2\x80\xa2   Employees are required to be aware of computer security and privacy concerns and to guard against computer\n     Circular 1351.3           viruses and security breaches of any kind.\n         09/02/94          \xe2\x80\xa2   All employees who use the Internet will not send any sensitive information without prior approval from the\n                               appropriate managers, data stewards, and DIRM\xe2\x80\x99s Security Administration Section.\n\n\n\n\n                                                                    16\n\x0c                                                                                                                                    Appendix III\n\n                            FDIC Internal Guidance Regarding the Handling of Sensitive Employee Data\n\n\n Automated Information      \xe2\x80\xa2   Establishes policy and assigns responsibilities for ensuring adequate levels of protection for FDIC automated\n Systems (AIS) Security         information systems and the information processed, stored, or transmitted by them.\n         Policy             \xe2\x80\xa2   Automated information security addresses three aspects of information \xe2\x80\x93 confidentiality, integrity, and\n    Circular 1360.1             availability.\n     Dated 12/23/96         \xe2\x80\xa2   Sensitive information is defined to include records about individuals requiring protection under the Privacy\n                                Act, and information not releasable under Freedom of Information Act.\n                            \xe2\x80\xa2   Sensitive information will be protected from unauthorized modification, destruction, or disclosure, whether\n                                accidental or intentional, through the use of appropriate technical, administrative, physical, and personnel\n                                controls.\n                            \xe2\x80\xa2   Access to sensitive information and information systems will be based on business needs.\n                            \xe2\x80\xa2   FDIC and contract personnel who work in sensitive positions (i.e., positions that entitle the incumbent to\n                                access to sensitive information) will undergo appropriate suitability checks.\nFDIC Information Security   \xe2\x80\xa2   To publish automation security policies.\n  Officer\xe2\x80\x99s Handbook        \xe2\x80\xa2   Security Administration Section (DIRM-SAS) is responsible for developing and implementing automation\n    Circular 1360.7             security policies and procedures.\n    Dated 12/21/95          \xe2\x80\xa2   All FDIC information Security Officers are responsible for requesting and monitoring access on behalf of\n                                employees within their scope \xe2\x80\x93 reporting violations of computer security to SAS.\n    Data Sensitivity        \xe2\x80\xa2   Defines attributes of sensitivity applicable to automated corporate data.\n    Circular 1360.8         \xe2\x80\xa2   Data sensitivity is defined to be the characteristics of data that determines the protection requirements needed\n    Dated 05/19/95              to address unauthorized disclosure, alteration, or loss of use.\n                            \xe2\x80\xa2   Data sensitivity levels are confidential, integrity, and availability.\n                            \xe2\x80\xa2   Nonpublic information \xe2\x80\x93 it includes information that he/she knows, or reasonably should know is designated\n                                as confidential by an agency.\n                            \xe2\x80\xa2   Data with a confidentiality level of Official Use or Limited Official Use shall be disseminated only on a need-\n                                to-know basis.\n                            \xe2\x80\xa2   Individual users shall ensure that protection of replicated data remains commensurate with its confidentiality\n                                level.\n\n\n\n\n                                                                    17\n\x0c                                                                                                                                     Appendix III\n\n                                FDIC Internal Guidance Regarding the Handling of Sensitive Employee Data\n\n\n    Access Control for          \xe2\x80\xa2   Established the policy and roles and responsibilities for managing access to FDC Automated Information\n   Automated Information            Systems (AISs) and data.\n         Systems                \xe2\x80\xa2   Management systems are in place to track access requests, and maintain user access profiles and authorization\n     Circular 1360.15               histories.\n      Dated 03/24/00            \xe2\x80\xa2   Access to sensitive AISs and data shall be protected from unauthorized access, disclosure, and use.\n                                \xe2\x80\xa2   Access will be terminated when no longer required or when access privileges have not been used for a\n                                    predetermined period of time.\n                                \xe2\x80\xa2   Information Security Officers administer access authorization and local termination actions and review access\n                                    control related to security reports.\n                                \xe2\x80\xa2   Sensitive data is defined to include data covered by the Privacy Act.\n                                \xe2\x80\xa2   Sensitive system \xe2\x80\x93 automated information system that requires protection because it processes sensitive data.\nPersonnel Suitability Program   \xe2\x80\xa2   Informs management officials and employees of Corporation\xe2\x80\x99s policy regarding the Personnel Suitability\n      Circular 2120.1               Program.\n          09/24/99              \xe2\x80\xa2   Suitability program has established personnel security policies and procedures to assure an adequate level of\n                                    security for the Corporation\xe2\x80\x99s automated information systems. These policies include requirements for\n                                    screening all individuals having access to sensitive data.\n                                \xe2\x80\xa2   The Security Management Section maintains investigative files in a secured area, separate from personnel\n                                    records. Information contained in these files shall be used and disseminated only in accordance with the\n                                    Privacy Act, and only authorized personnel shall have access to these records; disclosure to officials in the\n                                    Corporation shall be made only on a need-to-know basis and all such disclosures shall be documented.\n                                \xe2\x80\xa2   Reports of Investigation are part of the U.S. Office of Personnel Management record system and are subject to\n                                    the routine uses listed in the Federal Register for that record system.\n\n\n\n\n                                                                       18\n\x0c                                                                                                                                       Appendix III\n\n                               FDIC Internal Guidance Regarding the Handling of Sensitive Employee Data\n\n\n   Time and Attendance         \xe2\x80\xa2   GAO regulations require that a daily record keeping system be established.\n        Reporting              \xe2\x80\xa2   DOA is responsible for time and attendance (T&A) program management including development of policy.\n     Circular 2300.5               DOA headquarters is the data steward for Biweekly Time and Attendance (BTA) System.\n     Dated 10/31/97            \xe2\x80\xa2   DIRM is responsible for: maintaining and protecting data files from unauthorized access, and ensuring that\n                                   data is completely and accurately processed. Coordinating and forwarding to DOA all requests to add or\n                                   delete timekeepers\xe2\x80\x99 access to the BTA system.\n                               \xe2\x80\xa2   Timekeepers responsible for: receiving all approved T&A documents and reports from the supervisor, and\n                                   filing all original documents in a locked file cabinet -- protecting T&A data files from unauthorized access and\n                                   modification -- retaining the records in a locked file cabinet \xe2\x80\x93 maintaining strict confidentiality, log\n                                   on/passwords for security purposes, and routinely logging out of the BTA system when leaving their work\n                                   area.\n                               \xe2\x80\xa2   Supervisor is responsible for \xe2\x80\x93 maintaining confidentiality of employees\xe2\x80\x99 T&A information.\n                               \xe2\x80\xa2   Designated Auditor is responsible \xe2\x80\x93 retaining audit files for six (6) years, in addition to the current year, in a\n                                   locked file cabinet.\n                               \xe2\x80\xa2   Division and Office directors, or their designees are responsible for \xe2\x80\x93 providing an adequately controlled\n                                   environment for collecting and reporting employees\xe2\x80\x99 daily T&A data.\n                               \xe2\x80\xa2   Information Security Officers responsible for coordinating and forwarding to DOA all requests to add or delete\n                                   timekeepers\xe2\x80\x99 access to the BTA System. Establishing passwords for timekeepers to access that portion of the\n                                   FDIC mainframe system where the BTA system resides. Suspending and reinstating timekeepers\xe2\x80\x99 access.\n  Public and Confidential      \xe2\x80\xa2   The Confidential Financial Disclosure Reports and other employee related forms are confidential and required\nFinancial Disclosure Reports       to be withheld from the public. The forms contain sensitive commercial and financial information as well as\nand Other Related Employee         personal information, which is exempt from disclosure. All forms and related documents, which comprise the\nEthics Forms Required to be        ethics system of records, are to be stored in locked cabinets or in locked offices.\n           Filed\n      Circular 2410.2\n      Dated 02/21/97\n\n\n\n\n                                                                        19\n\x0c                                                                                                                                Appendix III\n\n                           FDIC Internal Guidance Regarding the Handling of Sensitive Employee Data\n\n\nNew Employee Orientation   \xe2\x80\xa2   Provides policy and procedures to FDIC Managers and Supervisors on the New Employee Orientation\n    Program Policy             Program.\n    Circular 2600.3        \xe2\x80\xa2   Appendix D \xe2\x80\x93 Supervisor\xe2\x80\x99s Checklist includes among the items to be discussed with the new employee -- the\n    Dated 10/15/98             Privacy Act and also administrative issues specific to the local office including the protection of sensitive\n                               information.\n                           \xe2\x80\xa2   Appendix E Telephone/Computer Security Information discusses do\xe2\x80\x99s and don\xe2\x80\x99ts for passwords, e-mail and\n                               diskettes.\n                           \xe2\x80\xa2   Appendix G Safeguarding Information Technology Assets emphasizes safeguarding security over IT\n                               equipment, especially laptops.\nFDIC Employee Assistance   \xe2\x80\xa2   Informs FDIC employees of the responsibilities and functions of the FDIC Employee Assistance Program\n     Program (EAP)             (EAP).\n    Circular 2821.1        \xe2\x80\xa2   The objectives are to:\n     Dated 07/07/99            \xe2\x80\xa2   Assist employees with problems related to daily life.\n                               \xe2\x80\xa2   FDIC managers and supervisors in identifying and appropriately dealing with employees who are\n                                   experiencing a decline in job performance and/or conduct as a result of personal problems.\n                           \xe2\x80\xa2   \xe2\x80\x9cThe supervisor should maintain any information received from an EAP counselor or a treatment provider\n                               about the employee in a confidential manner.\xe2\x80\x9d\n                           \xe2\x80\xa2   \xe2\x80\x9cCONFIDENTIALITY: Counseling discussions are confidential and cannot be disclosed without the\n                               employee\xe2\x80\x99s written permission as provided by form FDIC 2800/27, Authorization to Release Information.\n                               Confidential communication can only be divulged without a written release from the employee when serious\n                               intent of suicide, homicide, child or elder abuse is assessed.\xe2\x80\x9d\n      Official Mail        \xe2\x80\xa2   Discusses responsibilities, guidelines and procedures relating to the Corporation\xe2\x80\x99s official mail operations:\n   Circular 3130.11        \xe2\x80\xa2   For confidential material \xe2\x80\x93 use FDIC Messenger envelopes or affix plain labels to large plain envelopes or\n     Dated 02/12/93            Jiffylite insulated bags.\n  Disposition of Excess    \xe2\x80\xa2   Establishes interim policy, procedures, and responsibilities related to the disposition of excess computer\n  Computer Equipment           equipment.\n     Bulletin 3200         \xe2\x80\xa2   DIRM, Client Services Branch shall: Identify excess computer equipment, clean hard drives so that no data or\n     Dated 10/23/99            software remain, and release the equipment to ACSB Property Management Official.\n\n\n\n\n                                                                  20\n\x0c                                                                                                                              Appendix III\n\n                           FDIC Internal Guidance Regarding the Handling of Sensitive Employee Data\n\n\n    Modem Line Security    \xe2\x80\xa2   Centrally managed modem pools shall be used in preference to individual modem lines. Individual outbound\nPolicy Memorandum 98-001       or inbound modem lines are permissible provided they serve a justifiable FDIC business need that cannot\n                               otherwise be met and employ adequate security precautions.\n                           \xe2\x80\xa2   Centrally managed modem pools shall be configured for outbound service only.\n                           \xe2\x80\xa2   Upon user session completion the connection will be dropped.\n                           \xe2\x80\xa2   Audit logs shall be employed to provide monitoring capability.\n     Personal Computer     \xe2\x80\xa2   Establishes the policy and standard for personal computer information security at FDIC.\n    Information Security   \xe2\x80\xa2   Users of FDIC supplied systems shall take appropriate measures to provide for added security for their\nPolicy Memorandum 98-010       assigned personal computer systems. Measure include screen savers with keyboard locking or turning off the\n                               PC when leaving unattended, safeguarding passwords, and avoiding making sensitive information available\n                               across the network without proper controls.\n\n\n\n\n                                                                 21\n\x0c"